CILA Certified International Information Security Manager Exam
Question 1
What is the primary goal of information security governance?
A. To implement technical controls
B. To ensure compliance with regulations
C. To align security with business objectives
D. To manage IT operations
Correct: C
Explanation: The primary goal of information security governance is to align security strategies with
business objectives to ensure that security supports and enables the organization's goals.
Question 2
Which of the following is NOT a component of risk management?
A. Risk assessment
B. Risk treatment
C. Risk acceptance
D. Risk creation
Correct: D
Explanation: Risk creation is not a component of risk management. Risk management involves risk
assessment, risk treatment, and risk acceptance to identify, evaluate, and mitigate risks.
Question 3
What does GDPR stand for?
A. General Data Protection Regulation
B. Global Data Privacy Regulation
C. General Data Privacy Rules
D. Global Data Protection Rules
Correct: A
Explanation: GDPR stands for General Data Protection Regulation, a regulation in EU law on data
protection and privacy for all individuals within the European Union.
Question 4
Which of the following is a key performance indicator (KPI) for information security?
,A. Number of viruses detected
B. Mean time to detect (MTTD) incidents
C. Number of security policies created
D. Amount of data stored
Correct: B
Explanation: Mean time to detect (MTTD) incidents is a crucial KPI for information security as it
measures the efficiency of incident detection processes.
Question 5
What is the first step in the incident response process?
A. Containment
B. Eradication
C. Identification
D. Recovery
Correct: C
Explanation: The first step in the incident response process is identification, where potential security
incidents are detected and analyzed.
Question 6
Which of the following is NOT a type of risk treatment option?
A. Avoidance
B. Mitigation
C. Ignorance
D. Acceptance
Correct: C
Explanation: Ignorance is not a type of risk treatment option. The valid risk treatment options are
avoidance, mitigation, transfer, and acceptance.
Question 7
What does the principle of least privilege entail?
A. Granting all users full access to all systems
B. Restricting access to only what is necessary for users to perform their jobs
C. Allowing users to share their access with others
,D. Providing users with access to all data
Correct: B
Explanation: The principle of least privilege involves restricting access rights for users to the bare
minimum permissions they need to perform their work.
Question 8
Which of the following is a network security control?
A. Antivirus software
B. Firewall
C. Data encryption
D. Biometric authentication
Correct: B
Explanation: A firewall is a network security control that monitors and controls incoming and outgoing
network traffic based on predetermined security rules.
Question 9
What is the purpose of a business continuity plan (BCP)?
A. To prevent all disasters
B. To ensure business operations continue during and after a disaster
C. To eliminate all risks
D. To reduce insurance costs
Correct: B
Explanation: The purpose of a business continuity plan (BCP) is to ensure that business operations can
continue during and after a disaster.
Question 10
Which of the following is a symmetric encryption algorithm?
A. RSA
B. AES
C. DSA
D. ECC
Correct: B
, Explanation: AES (Advanced Encryption Standard) is a symmetric encryption algorithm, meaning it uses
the same key for both encryption and decryption.
Question 11
What is the primary benefit of using multi-factor authentication (MFA)?
A. Simplifying the login process
B. Reducing the need for passwords
C. Enhancing security by requiring multiple verification factors
D. Increasing system performance
Correct: C
Explanation: The primary benefit of using multi-factor authentication (MFA) is enhancing security by
requiring multiple verification factors, making it more difficult for unauthorized users to gain access.
Question 12
Which of the following is NOT a type of malware?
A. Virus
B. Worm
C. Trojan
D. Firewall
Correct: D
Explanation: A firewall is not a type of malware. Malware includes viruses, worms, trojans, and other
malicious software.
Question 13
What is the purpose of a vulnerability assessment?
A. To fix all security issues immediately
B. To identify and evaluate security weaknesses
C. To eliminate all risks
D. To increase system performance
Correct: B
Explanation: The purpose of a vulnerability assessment is to identify and evaluate security weaknesses
in a system.
Question 14
Question 1
What is the primary goal of information security governance?
A. To implement technical controls
B. To ensure compliance with regulations
C. To align security with business objectives
D. To manage IT operations
Correct: C
Explanation: The primary goal of information security governance is to align security strategies with
business objectives to ensure that security supports and enables the organization's goals.
Question 2
Which of the following is NOT a component of risk management?
A. Risk assessment
B. Risk treatment
C. Risk acceptance
D. Risk creation
Correct: D
Explanation: Risk creation is not a component of risk management. Risk management involves risk
assessment, risk treatment, and risk acceptance to identify, evaluate, and mitigate risks.
Question 3
What does GDPR stand for?
A. General Data Protection Regulation
B. Global Data Privacy Regulation
C. General Data Privacy Rules
D. Global Data Protection Rules
Correct: A
Explanation: GDPR stands for General Data Protection Regulation, a regulation in EU law on data
protection and privacy for all individuals within the European Union.
Question 4
Which of the following is a key performance indicator (KPI) for information security?
,A. Number of viruses detected
B. Mean time to detect (MTTD) incidents
C. Number of security policies created
D. Amount of data stored
Correct: B
Explanation: Mean time to detect (MTTD) incidents is a crucial KPI for information security as it
measures the efficiency of incident detection processes.
Question 5
What is the first step in the incident response process?
A. Containment
B. Eradication
C. Identification
D. Recovery
Correct: C
Explanation: The first step in the incident response process is identification, where potential security
incidents are detected and analyzed.
Question 6
Which of the following is NOT a type of risk treatment option?
A. Avoidance
B. Mitigation
C. Ignorance
D. Acceptance
Correct: C
Explanation: Ignorance is not a type of risk treatment option. The valid risk treatment options are
avoidance, mitigation, transfer, and acceptance.
Question 7
What does the principle of least privilege entail?
A. Granting all users full access to all systems
B. Restricting access to only what is necessary for users to perform their jobs
C. Allowing users to share their access with others
,D. Providing users with access to all data
Correct: B
Explanation: The principle of least privilege involves restricting access rights for users to the bare
minimum permissions they need to perform their work.
Question 8
Which of the following is a network security control?
A. Antivirus software
B. Firewall
C. Data encryption
D. Biometric authentication
Correct: B
Explanation: A firewall is a network security control that monitors and controls incoming and outgoing
network traffic based on predetermined security rules.
Question 9
What is the purpose of a business continuity plan (BCP)?
A. To prevent all disasters
B. To ensure business operations continue during and after a disaster
C. To eliminate all risks
D. To reduce insurance costs
Correct: B
Explanation: The purpose of a business continuity plan (BCP) is to ensure that business operations can
continue during and after a disaster.
Question 10
Which of the following is a symmetric encryption algorithm?
A. RSA
B. AES
C. DSA
D. ECC
Correct: B
, Explanation: AES (Advanced Encryption Standard) is a symmetric encryption algorithm, meaning it uses
the same key for both encryption and decryption.
Question 11
What is the primary benefit of using multi-factor authentication (MFA)?
A. Simplifying the login process
B. Reducing the need for passwords
C. Enhancing security by requiring multiple verification factors
D. Increasing system performance
Correct: C
Explanation: The primary benefit of using multi-factor authentication (MFA) is enhancing security by
requiring multiple verification factors, making it more difficult for unauthorized users to gain access.
Question 12
Which of the following is NOT a type of malware?
A. Virus
B. Worm
C. Trojan
D. Firewall
Correct: D
Explanation: A firewall is not a type of malware. Malware includes viruses, worms, trojans, and other
malicious software.
Question 13
What is the purpose of a vulnerability assessment?
A. To fix all security issues immediately
B. To identify and evaluate security weaknesses
C. To eliminate all risks
D. To increase system performance
Correct: B
Explanation: The purpose of a vulnerability assessment is to identify and evaluate security weaknesses
in a system.
Question 14
